This section is intended to provide background or context to the invention recited in the claims. The description of the background art may include insights, discoveries, understandings or disclosures, or associations of disclosures not known in the prior art. Some contributions of the invention may be specifically pointed out below, whereas other contributions of the invention will be apparent from their context.
The term “malware” is short for malicious software and is used to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Many computer devices, such as desktop personal computers (PCs), laptops, personal data assistants (PDAs) and mobile phones can be at risk from malware.
Detecting malware is often challenging, as malware may be designed to be difficult to detect, often employing technologies that deliberately hide the presence of malware on a system. For example a malware application may not show up on the operating system tables that list currently-running processes on a computer.
Many end users make use of anti-virus software to detect and possibly remove malware. In order to detect a malware file, the anti-virus software must have some way of identifying it amongst all the other files present on a device. Typically, this requires that the anti-virus software has a database containing the “signatures” or “fingerprints” that are characteristic of individual malware program files. When the supplier of the anti-virus software identifies a new malware threat, the threat is analysed and its signature is generated. The malware is then “known” and its signature can be distributed to end users as updates to their local anti-virus software databases.
New malware is constantly being created and therefore regular updates to the anti-virus software are essential. In addition to updating the virus signatures, improvements to the software and its components are also distributed to end users, via the web, which ensure that the software runs efficiently and benefits from any software enhancements that may have been developed. Anti-virus software will typically contain a number of modules that are updatable, for example the scanning engine, parts of the scanning logic, drivers and UI components. Every week, anti-virus software will typically receive hundreds of updated components, including new signatures, configuration data and software components. Once the supplier of the anti-virus software has identified a new piece of malware, it is important that an update is sent out quickly to end users so that their computer systems are protected from an attack from said malware.
Due to the short timeframe and tight update schedule that is required, there is a significant chance that a given update may contain errors, and quality assurance is not always perfect. This is compounded by the fact that anti-virus software is used by a very large number of end users using many different computer system configurations. As such, anti-virus software will be expected to perform correctly on computer systems with different operating systems, language localizations, different installed components and so on. This makes it very hard to recreate or model exactly the same configuration in testing as that running on end-user computer systems.
Each update that is sent out to end users can potentially cause instability in the anti-virus software running on their computer systems. Furthermore, due to the high level requirements of anti-virus software (i.e. the detection and removal of potentially harmful installed components), it typically runs at a high system level and so any problems with the anti-virus software, due to a faulty update for example, can cause severe disruptions to a user's computer system. Examples of common issues arising from problem updates are stability problems due to the received update not being compatible with one or more current components in the software causing the computer system to crash, “hanging” during virus scanning or very lengthy scan times, losing malware detection and/or clean up function entirely, or the engine returning false positives caused by the an update.
The problems mentioned above can be particularly severe if they are in relation to common system files. For example if a crash occurs during scanning of an operating system file, or if such a file was returned as a false positive then this could potentially lead to a problem that is so severe that the computer system no longer functions correctly. Another major concern is that a problem update locks down the anti-virus software and it becomes impossible to provide an automatic update fix, requiring a complete re-installation of the software.